EU AI Act Deadlines 2026: What Applies on August 2, and What Was Delayed

Where the AI Act stands in mid-2026

Regulation (EU) 2024/1689 (the AI Act) entered into force on 1 August 2024 with a staggered application schedule. Two waves have already landed:

• 2 February 2025: the Article 5 prohibitions (including emotion recognition in the workplace) and the Article 4 AI literacy obligation began to apply.
• 2 August 2025: the penalty framework, governance structures, and the general-purpose AI (GPAI) model obligations took effect.

The third wave arrives on 2 August 2026, and it is the one that converts the AI Act from a programme of obligations into a programme of enforcement.

What applies on 2 August 2026

1. Article 50 transparency obligations. The Act requires that people are told when they are interacting with an AI system and when content is AI-generated. Article 50(1) puts it directly:

“Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system…” Article 50(1), Regulation (EU) 2024/1689

Deployers carry parallel duties for emotion-recognition, biometric-categorisation, and deep-fake content. If your organisation publishes AI-generated material or runs customer-facing chatbots, these duties bind you from August 2.

2. National enforcement powers. This is the change most companies underestimate. The Article 4 AI literacy duty and the Article 5 prohibitions have applied since February 2025, but the national market surveillance authorities that supervise them only receive their formal powers on 2 August 2026. From that date, a duty that existed on paper has a regulator attached to it, with penalty regimes adopted under national law.

What the Digital Omnibus changed

On 7 May 2026, EU lawmakers reached political agreement on the Digital Omnibus for AI, after months of negotiation. The agreement (expected to be formally adopted before the August deadline) defers the high-risk obligations:

• Stand-alone high-risk systems (Annex III) (for example AI used in recruitment, credit scoring, or essential services) deferred to 2 December 2027.
• AI embedded in regulated products (Annex I) (machinery, medical devices, vehicles) deferred to 2 August 2028.

Three things were pointedly not delayed: the prohibitions, the AI literacy duty, and the transparency obligations. Brussels' message is consistent: the rules governing how organisations and their people use AI day to day are in force now and enforceable this summer. Only the heavyweight product-conformity machinery got more runway.

The fines, precisely

Article 99 sets three tiers, each “whichever is higher”:

1. €35,000,000 or 7% of total worldwide annual turnover: for non-compliance with the Article 5 prohibitions.
2. €15,000,000 or 3%: for breaches of most other obligations, including deployer duties and transparency.
3. €7,500,000 or 1%: for supplying incorrect, incomplete, or misleading information to authorities.

For scale: a company with €500M revenue faces a ceiling of €35M on the top tier. These sit alongside (not instead of) GDPR exposure of up to €20M or 4% for the same underlying incident if personal data was involved.

Why this lands on the desk of whoever owns AI usage

Most coverage of the AI Act focuses on AI vendors. But the Act regulates deployers (any organisation using AI systems under its authority), and in practice every company whose employees use ChatGPT, Claude, Gemini, or Copilot at work is a deployer. The August 2026 enforcement date therefore raises a question regulators are now empowered to ask:

“Show us how you know which AI systems your staff use, that your staff are equipped to use them responsibly, and that your usage complies with the prohibitions.”

An organisation that does not know which AI tools its employees use (the shadow AI problem) has no credible answer to the first part, which undermines every answer after it.

A pragmatic checklist for August 2

1. Inventory actual AI usage. Not the approved list. The real one. Browser-level visibility shows which AI tools employees actually touch and what categories of data flow toward them.
2. Confirm nothing prohibited is in use. Screen tools for Article 5 capabilities (workplace emotion inference, biometric categorisation, social scoring).
3. Stand up AI literacy you can evidence. Article 4 applies now and is enforceable from August. Training records help; in-the-moment guidance at the point of risk is stronger evidence that literacy is real (see our Article 4 deep-dive).
4. Label AI-generated and AI-interactive touchpoints. Audit chatbots and published AI content against Article 50.
5. Build the audit trail. Every step above produces evidence only if it is logged. A timestamped, exportable record of AI usage events is the artefact a market surveillance authority can actually inspect.

The deadline behind the deadline

The Omnibus bought time for high-risk conformity assessments. It bought no time at all for the basics: knowing your AI usage, training your people, and proving both. Those duties are live, and on 2 August 2026 the regulators arrive with the power to check.